The GDPR outlines clear and lawful grounds for processing personal data, meaning that processing data is only lawful should one or more of these grounds apply.
Data Security and Protection Overview
Lawfulness of Processing
1 - Consent
Clear and unambiguous action given by an informed individual. When collecting consent it must be clear to the individual that they are giving consent. Confusing methods of ‘consent’ are not lawful.
2- Compliance
Data processing may be necessary due to a legal obligation. If Data is needed in order to comply with a legal obligation its lawful bases would be compliance. E.g. retention of financial information.
3- Public Interests
Necessary for the performance of a task carried out in public interest. For Example a humanitarian disaster, this is reserved for the exercise of official authority.
4- Vital Interests
Necessary in order to protect vital interests of the data subjects. This refers to life or death and is used for medical reasons.
5- Contract Performance
Necessary in order or enter into or perform a contract with the data subject. For Example providing goods or services between the provider and consumer or between an employer and employee.
6- Legitimate interest
Data processing is necessary for purposes of legitimate interests. If this route is chosen it must not impact on the rights or freedoms of the data subject.
When considering lawful grounds of processing data you should remember that the responsibility of proving each route lies with the controller (person processing the data). Neither the data subject or the regulator have responsibility to prove anything.
Your default thinking should be that all data processing is unlawful until proved to be otherwise.
